APT34’s New Backdoor: SideTwist Variant Technical Analysis

This blog post comes from the “APT34’s New Backdoor: SideTwist Variant Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.

Summary

We examined today’s variants of SideTwist, the backdoor software that the Iranian state-sponsored threat actor, also known as APT34, aka OilRig, has been using in its attack campaigns since 2021. We revealed their capabilities, purposes, and similarities with the SideTwist malware.

You can also have information and ideas about the similarities from past to present in the attack campaigns carried out by APT 34, which operates mostly in the Middle East region on espionage and cyber espionage.

Although SideTwist backdoor software is generally used to seize sensitive information from government institutions by organizing phishing campaigns and to maintain access to compromised networks, APT 34 also appears to continue to strengthen its arsenal and improve its capabilities.

Overview

FilenameMyCV.doc
FiletypeMS Word Document
Written LanguageN/A
MD564f8dfd92eb972483feaf3137ec06d3c
SHA13d71d782b95f13ee69e96bcf73ee279a00eae5db
SHA2568a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618
First Seen / Detection Date2023-07-08
Initial Infection VectorPhishing Email
Table 1: Phishing Document
FilenameMenorah.exe
FiletypeWin32 EXE
Written Language.NET
MD5868da692036e86a2dc87ca551ad61dd5
SHA1c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a
SHA25664156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345
First Seen / Detection Date2023-07-08
Initial Infection VectorPhishing Document
Table 2: Menorah Backdoor (SideTwist Variant) that dropped by document
FilenameGGMS Overview.doc
FiletypeMS Word Document
Written LanguageN/A
MD5056378877c488af7894c8f6559550708
SHA1c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a
SHA256c2a0d899dd535d7cf0729b3307d054780985e0cebd21cca5614c1417225c86ee
First Seen / Detection Date2023-07-19
Initial Infection VectorPhishing Email
Table 3: Phishing Document
FilenameSystemFailureReporter.exe
FiletypeWin64 EXE
Written LanguageC/C++
MD55e0b8bf38ad0d8c91310c7d6d8d7ad64
SHA1eb3a3fa719328e662d573774181cbd0bc1be1920
SHA2567b83ca04240ca8769eb0f01a873674aa2891a4aa702d5cf632e7ecc284c38bc9
First Seen / Detection Date2023-06-16
Initial Infection VectorPhishing Document
Table 4: SideTwist Variant Backdoor that dropped by document

Similarities to SideTwist Backdoor

The similarities we detected in the file samples and campaign details obtained in the latest phishing campaigns carried out by APT 34 are listed below. These similarities consist of functional similarities between the actions taken by the threat actor since the first entry into the target system using the phishing document and the final payloads enabling communication between the victim and the threat actor.

The SideTwist Backdoor malware detected in 2021 was written in the C programming language and compiled with Microsoft Visual C/C++. However, its second variant, although still C-based, was compiled with GCC with changes that increased its functionality. The Menorah variant differs greatly and was developed with .NET.

While SideTwist only has the /search/ URL path for the threat actor to interact with the target system, the 2nd variant we examined also has the /getFile/ path. However, we did not observe these URL paths in the .NET variant detected under Menorah(…)

Mitigation Strategies

  • Deploy robust antivirus and anti-malware solutions to detect and block malware like SideTwist. Ensure that these tools are regularly updated to recognize new threats.
  • Educate employees about email phishing attacks, as these are common delivery methods for malware. Use email filtering and anti-phishing tools to block malicious emails.
  • Conduct regular cybersecurity training for employees to teach them about the dangers of malware and how to recognize suspicious activities or emails.
  • Use application whitelisting to allow only approved and known applications to run on your systems. This can prevent unauthorized and potentially malicious software from executing.
  • Implement network monitoring and intrusion detection systems to detect and respond to malicious activity in real-time.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “APT34’s New Backdoor: SideTwist Variant Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.